Enrich threat observables with VirusTotal

Latest Dynatrace Preview

The Dynatrace integration with VirusTotal brings threat intelligence context into alerts and detection investigations to help organizations combat online abuse, such as cyber-attacks, spamming, and other malicious activities.

With observable enrichment with reputation generated from the threat information provided by VirusTotal, you can perform more efficient security investigations and automate alert triaging, reducing the noise with threat-aware prioritization.

How it works

how it works

Dynatrace integration with VirusTotal is an app that you can install from Dynatrace Hub.

The app delivers a workflow action for observable enrichment in Workflows.

Once the app is installed and configured

  1. Various consumer apps can perform an on-demand enrichment of observables, such as IP addresses.

  2. During the enrichment, Dynatrace reaches out to VirusTotal to perform the observable enrichment.

  3. The threat intelligence context is displayed within the consumer apps or in Workflows.

Prerequisites

Register with VirusTotal and create an API v3 key.

Get started

  1. In Dynatrace, open Dynatrace Hub.

  2. Look for VirusTotal and select Install.

  3. Select Set up , then select Configure new connection.

  4. Follow the on-screen instructions to set up the connection using the API key obtained in Prerequisites.

    Allowed outbound connections are extended automatically with www.virustotal.com.

    1. In Settings, go to Preferences > Limit Outbound Connections.
    2. Select Add item and add the domain.
    3. Select Save changes.

  5. Test the connection to ensure the correct configuration and save it.

Use cases

Once you set up the VirusTotal integration, you can enrich observables, such as IP addresses, with threat intelligence context.

Key use cases include:

  • Threat-informed security investigations Coming soon

  • Automated threat-alert triaging Coming soon

FAQ

Which observable types are currently supported?

Supported observable types: IP addresses (more coming soon).

How will my VirusTotal API quotas will be affected from this integration?

For every new observable enrichment, we perform a single API call.